Re: [ossec-list] syslog_output question
That's perfect, exactly what I needed to know! Thank you! On Tuesday, July 11, 2017 at 3:58:37 AM UTC-4, Victor Fernandez wrote: > > Hi Robert, > > OSSEC should take these settings independently: > >- Configuration A will send alerts with level 8 or higher. >- Configuration B will send alerts with level 4 or higher (including >alerts sent by the former setting) belonging to these groups. > > So you'll receive duplicate alerts. One option would be to enter every > groups but the specified in the configuration B. > > Let me tell you that Wazuh agents include an improvement that allow to > negate expressions. So you may use a setting like this one:: > > > 8 > 192.168.0.5 > !invalid_login|adduser|blah|andsoon > > > > 4 > invalid_login|adduser|blah|andsoon > 192.168.0.5 > > > > Hence you'll have alerts with level 4 or higher (even 8 or more) belonging > to these groups, plus alerts with level 8 or higher of any other group. > > Hope it help. > Best regards. > > > On Mon, Jul 10, 2017 at 10:29 PM, Robert B> wrote: > >> This was a little unclear to me after reading the documenation and >> searching around...pardon if it's been asked and answered, I simply have >> not found it. >> >> We have a single server we want to send syslog output to, however, we >> also want to have different levels for some alerts. Would it be as simple >> as two syslog_output sections, such as below, or would this create >> duplicate alerts, take the last syslog_output section, or can it be done in >> a single section? >> >> >> 8 >> 192.168.0.5 >> >> >> >> 4 >> invalid_login|adduser|blah|andsoon >> 192.168.0.5 >> >> >> >> Thanks! >> Bob >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] syslog_output question
Hi Robert, OSSEC should take these settings independently: - Configuration A will send alerts with level 8 or higher. - Configuration B will send alerts with level 4 or higher (including alerts sent by the former setting) belonging to these groups. So you'll receive duplicate alerts. One option would be to enter every groups but the specified in the configuration B. Let me tell you that Wazuh agents include an improvement that allow to negate expressions. So you may use a setting like this one:: 8 192.168.0.5 !invalid_login|adduser|blah|andsoon 4 invalid_login|adduser|blah|andsoon 192.168.0.5 Hence you'll have alerts with level 4 or higher (even 8 or more) belonging to these groups, plus alerts with level 8 or higher of any other group. Hope it help. Best regards. On Mon, Jul 10, 2017 at 10:29 PM, Robert Bwrote: > This was a little unclear to me after reading the documenation and > searching around...pardon if it's been asked and answered, I simply have > not found it. > > We have a single server we want to send syslog output to, however, we also > want to have different levels for some alerts. Would it be as simple as > two syslog_output sections, such as below, or would this create duplicate > alerts, take the last syslog_output section, or can it be done in a single > section? > > > 8 > 192.168.0.5 > > > > 4 > invalid_login|adduser|blah|andsoon > 192.168.0.5 > > > > Thanks! > Bob > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] syslog_output question
This was a little unclear to me after reading the documenation and searching around...pardon if it's been asked and answered, I simply have not found it. We have a single server we want to send syslog output to, however, we also want to have different levels for some alerts. Would it be as simple as two syslog_output sections, such as below, or would this create duplicate alerts, take the last syslog_output section, or can it be done in a single section? 8 192.168.0.5 4 invalid_login|adduser|blah|andsoon 192.168.0.5 Thanks! Bob -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.